Firejail (GitHub, ArchWiki) is a sandboxing tool. It lets you run a program and limit its access to your computer.

By default, all users can use Firejail. This may be undesirable (since it has SUID privileges) so you can restrict the users who can run Firejail by creating /etc/firejail/firejail.users. Only the users with the names listed in this file may run Firejail.

Snippets

Here are some examples of things you can do with Firejail.

Useful Flags

• --net=none no internet access.

Run a shell with its home set to the current directory

firejail --disable-mnt --private=. --tab $SHELL

This spawns a shell in the current directory for which your home directory appears to be the directory from which you ran the above command. Your actual home directory, as well as the home directories of other users will be invisible to the shell and any process spawned from it.

Without the --tab option, tab completion will not be available to the shell, which can be cumbersome. If tab completion gets disabled for the directory, the setting is stored in a file called .inputrc in that directory. Tab completion can be restored by editing or removing the .inputrc file.